How Telcos Can Stop Caller-ID Spoofing in Robocalls
M. E. Kabay, PhD []
Emeritus Professor of Computer Information Systems
School of Cybersecurity, Data Science & Computing
College of Professional Schools
Criminals are increasingly using spoofed caller-IDs on robocalls to fool victims into answering the phone or complying with fraudulent offers or demands. A robocall is a telephone call originated by a computer program, usually using voice over Internet protocol (VoIP).[]
The US Federal Communications Commission (FCC) defines spoofing as follows:
“Spoofing” occurs when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used in fraudulent activity or sold illegally. U.S. law and FCC rules prohibit most types of spoofing.
Caller ID lets consumers avoid unwanted phone calls by displaying caller names and phone numbers, but the caller ID feature is sometimes manipulated by spoofers who masquerade as representatives of banks, creditors, insurance companies, or even the government.[]
The FCC points out that using fake caller-IDs for fraud is illegal:
Under the Truth in Caller ID Act, FCC rules prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. If no harm is intended or caused, spoofing is not illegal. Anyone who is illegally spoofing can face penalties of up to $10,000 for each violation. In some cases, spoofing can be permitted by courts for people who have legitimate reasons to hide their information, such as law enforcement agencies working on cases, victims of domestic abuse or doctors who wish to discuss private medical matters.
Some anti-robocall activists have implemented whitelists (approved phone numbers) and blacklists (blocked phone numbers) for automatic blocking based on databases of originating numbers updated by subscribers. Nomorobo, for example, “…blocked 15.1 million robocalls” in 2014 for clients that are using VoIP[]. However, critics have noted that any -list system requires constant maintenance: “According to AT&T, a blacklist would be a nightmare to maintain and could inadvertently block legitimate numbers.”
In my judgement, a simple technique for telecommunication companies (telcos) to test inbound calls for caller-ID spoofing has four questions in the algorithm:
1. Is the phone number in the caller-ID real? That is, can the telco find the supposed originating number assigned to a user anywhere in North America? If not, prevent the call from even ringing the target phone.
2. Is the phone number in the caller-ID actually in use (busy) while the call is in progress? If not, the caller-ID is fake and that particular call can also be blocked immediately.
3. Does the caller-ID match the target ID? If so, block that call.
4. If the phone number in the caller-ID is in use, is the number being called by the real account the target of the phone call being examined? If not, block that call.
The FCC chairman has argued that carriers should be allowed or even encouraged to block robocalls using spoofed caller-IDs and mentions the idea in point #1 above:
The proposed rules would let providers “block spoofed robocalls when the spoofed Caller ID can’t possibly be valid.” Providers would be able to block numbers that aren’t valid under the North American Numbering Plan and block valid numbers that haven’t been allocated to any phone company. They’d also be able to block valid numbers that have been allocated to a phone company but haven’t been assigned to a subscriber.[]
It is important to note that caller-IDs of real phone lines that are used without any involvement of the registered user of the spoofed ID must not be globally blocked. There are already cases of serious damage to innocent subscribers whose legitimate phone numbers have been appropriated by the criminals using spoofed caller-IDs.[]
The algorithm above has the following advantages:
1. There are no new lists to maintain.
2. Processing is completely decentralized, being carried out by the central switches (the computers running the phone system for an area) for every group of exchanges (3-digit prefix to a US phone number – e.g., “234” in 800-234-0000).
3. Wireless carriers can use the same approach.
4. Legitimate calls by callers not spoofing their caller-ID are not blocked.
It might be appropriate for telcos to allow users to opt into or opt out of the new blocking feature; however, I’d be sorry if they chose to limit the service to those who can pay additional fees beyond their existing phone coverage plans.
Let’s hope that we see progress soon.[]
Brodkin, J. 2017. "FCC chair wants carriers to block robocalls from spoofed numbers." ars technica. Mar 03. Accessed Aug 11, 2017. https://arstechnica.com/information-technology/2017/03/robocalls-begone-fcc-seeks-to-block-calls-from-spoofed-numbers/.
Freedman, A. 2017. "VoIP." Computer Desktop Encyclopedia. 08 01. Accessed Aug 11, 2017. http://lookup.computerlanguage.com/host_app/search?cid=C999999&term=voip.
McMillan, R. 2015. "THIS GUY FOUND A WAY TO BLOCK ROBOCALLS WHEN PHONE COMPANIES WOULDN'T." WIRED. Jan 27. Accessed Aug 11, 2017. https://www.wired.com/2015/01/guy-found-way-block-robocalls-phone-companies-wouldnt/.
US Federal Communications Commission. 2017. "FCC Consumer Complaint Center." FCC.GOV. Accessed Aug 11, 2017. https://consumercomplaints.fcc.gov/hc/en-us/requests/new?ticket_form_id=39744.
—. 2017. "Spoofing and Caller ID." FCC Home / For Consumers. Aug 3. Accessed Aug 11, 2017. https://www.fcc.gov/consumers/guides/spoofing-and-caller-id.
YouMail.com. 2017. "Measure the Problem." Robocall Index. Jul 31. Accessed Aug 11, 2017. https://robocallindex.com/.
Zimmerman, S. 2015. "After Scammers Hijack Man’s Phone Number, Angry Calls Come Twice a Minute." ABC News. Feb 05. Accessed Aug 11, 2017. http://abcnews.go.com/US/scammers-hijack-mans-phone-number-angry-calls-minute/story?id=28750289.